CVE-2025-10416 is a SQL Injection vulnerability found in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability exists in the /ajax.php endpoint, specifically when the 'action' parameter is set to 'delete_supplier' and the 'ID' argument is manipulated. This improper sanitization or validation of the 'ID' parameter allows an attacker to inject arbitrary SQL commands remotely without requiring authentication or user interaction. Exploiting this flaw could enable an attacker to execute unauthorized SQL queries against the backend database, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is limited but present, as the vulnerability allows partial compromise of the database. No official patches or mitigations have been published yet, and while no exploits are currently known to be active in the wild, a public exploit is available, increasing the risk of exploitation. This vulnerability affects only version 1.0 of the Campcodes Grocery Sales and Inventory System, which is used to manage grocery sales and inventory data, making it a critical component for retail operations relying on this software.

For European organizations using the Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their inventory and sales data. Successful exploitation could lead to unauthorized disclosure of supplier or sales information, manipulation or deletion of critical inventory records, and disruption of business operations. Retailers and grocery chains relying on this system could face operational downtime, financial losses, and reputational damage. Additionally, compromised data could violate GDPR requirements regarding data protection and breach notification, leading to regulatory penalties. Since the vulnerability requires no authentication and can be exploited remotely, attackers could leverage this flaw to gain footholds within corporate networks or pivot to other systems. The medium severity rating suggests a moderate but tangible threat, especially for organizations that have not applied any custom mitigations or network protections. The lack of patches increases the urgency for organizations to implement compensating controls to reduce exposure.

European organizations should immediately conduct an inventory to identify any deployments of Campcodes Grocery Sales and Inventory System version 1.0. Until an official patch is released, organizations should implement the following specific mitigations: 1) Restrict access to the vulnerable /ajax.php endpoint by implementing network-level controls such as IP whitelisting or VPN-only access to the management interfaces. 2) Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'delete_supplier' action and the 'ID' parameter. 3) Conduct code reviews or apply input validation and parameterized queries if source code access is available to sanitize the 'ID' parameter. 4) Monitor logs for unusual or repeated requests to /ajax.php?action=delete_supplier that could indicate exploitation attempts. 5) Segregate the inventory system network segment from other critical infrastructure to limit lateral movement in case of compromise. 6) Prepare incident response plans specific to SQL injection attacks and data breaches involving inventory systems. 7) Engage with the vendor for updates and patches and plan for timely application once available. These targeted actions go beyond generic advice by focusing on the specific vulnerable endpoint, attack vector, and operational context of grocery sales systems.